RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2070137 - Unable to build openssh with sanitizer flags enabled
Summary: Unable to build openssh with sanitizer flags enabled
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssh
Version: 8.0
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Dmitry Belyavskiy
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-30 13:23 UTC by gkamathe
Modified: 2022-07-01 09:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-06-08 06:28:28 UTC
Type: Bug
Target Upstream Version:
Embargoed:
gkamathe: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 3441 0 None None None 2022-06-03 11:16:59 UTC
Red Hat Issue Tracker CRYPTO-7328 0 None None None 2022-05-24 13:11:28 UTC
Red Hat Issue Tracker RHELPLAN-117339 0 None None None 2022-03-30 13:32:21 UTC

Description gkamathe 2022-03-30 13:23:50 UTC 
Description of problem:

I am trying to build openssh (from source RPM on brew) with address sanitizer enabled


Version-Release number of selected component (if applicable):

openssh-8.0p1


How reproducible:


Step 1 - Download openssh source rpm from brew (RHEL8 version used openssh-8.0p1)

Step 2 - extract RPM, tar.gz

Step 3 - Run configure within extracted source directory with following options


$ ./configure --with-cflags="-fsanitize=address" --with-ldflags="-fsanitize=address"

# or

$ ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address



Above command stuck at this stage 


checking for arc4random_stir... no
checking for arc4random_uniform... no
checking for ia_openinfo in -liaf... no
checking whether OpenSSL's PRNG is internally seeded... yes
checking whether SECCOMP_MODE_FILTER is declared... yes
checking kernel for seccomp_filter support... yes
checking if select works with descriptor rlimit...    <<<<<<<<<   


Background shows configure running currently at conftest


$ ps -ef | grep configure
root      233731  223357  0 03:23 pts/1    00:00:01 /bin/sh ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address
root      241481  233731  0 03:23 pts/1    00:00:00 /bin/sh ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address
root      241568  223376  0 03:26 pts/0    00:00:00 grep --color=auto configure
$
$ pstree -pa 223357
bash,223357
  └─configure,233731 ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address
      └─configure,241481 ./configure CFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address
          └─conftest,241482
              └─conftest,241483
$
$ ps -ef | grep conftest
root      241482  241481 98 03:23 pts/1    00:03:16 ./conftest
root      241483  241482 99 03:23 pts/1    00:03:17 ./conftest
root      241577  223376  0 03:27 pts/0    00:00:00 grep --color=auto conftest
$



$ pwd
/root/OSSH/openssh-8.0p1
$
$ find . | grep -i conftest
./conftest.sslincver
./conftest.ssllibver
./conftest.c
./conftest
$
$ file ./conftest
./conftest: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=957aa86d3c79a9400d57fbf6d423dfdc4f4e800c, with debug_info, not stripped
$

$ strace -f -p 249471
strace: Process 249471 attached
sched_yield()                           = 0
sched_yield()                           = 0
sched_yield()                           = 0
sched_yield()                           = 0
sched_yield()                           = 0
sched_yield()                           = 0
sched_yield()                           = 0
sched_yield()                           = 0
sched_yield()                           = 0
sched_yield()                           = 0

<< snip >>

$

This seems to be related to the following test within configure.ac

# Some platforms (seems to be the ones that have a kernel poll(2)-type
# function with which they implement select(2)) use an extra file descriptor
# when calling select(2), which means we can't use the rlimit sandbox.
 AC_MSG_CHECKING([if select works with descriptor rlimit])
 AC_RUN_IFELSE(
     [AC_LANG_PROGRAM([[


If I remove the above test from configure.ac then ./configure with above flags succeeds, however make runs into following errors

<< snip >>
cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o -L. -Lopenbsd-compat/  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -fsanitize=address -pie  -lssh -lopenbsd-compat  -lcrypto -lutil -lz  -lcrypt -lresolv 
/usr/bin/ld: ./libssh.a(ssh-pkcs11.o): undefined reference to symbol 'dlsym@@GLIBC_2.2.5'
//usr/lib64/libdl.so.2: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
make: *** [Makefile:173: ssh] Error 1
$


Actual results:

./configure hangs

Expected results:

./configure should complete, allowing me to "make" the project

Additional info:


$ cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.5 (Ootpa)
$
$ uname -r
4.18.0-348.el8.x86_64
$
Comment 1 gkamathe 2022-03-31 06:38:28 UTC 
I had some help on this from elsewhere:


Seem that the configuration test misbehaves because; basically setting rlimit to zero prevents the address sanitizer from accessing its own files, potentially causing the hang.  When run standalone it gives this error:

==112437==Can't open /proc/112436/task for reading.
==112436==LeakSanitizer has encountered a fatal error.
==112436==HINT: For debugging, try setting environment variable
LSAN_OPTIONS=verbosity=1:log_threads=1
==112436==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
Comment 3 Dmitry Belyavskiy 2022-06-03 11:17:23 UTC 
Marek, thanks, reported upstream
Comment 4 Dmitry Belyavskiy 2022-06-06 09:26:45 UTC 
Upstream provided explanation why such build is hardly possible and will give us a result significantly different from what we ship.

https://bugzilla.mindrot.org/show_bug.cgi?id=3441 

Dear Gaurav, having this information - do you consider worth persuading this goal?
Comment 5 gkamathe 2022-06-08 06:28:28 UTC 
@dmitry thank you for pursuing this upstream, I think I'll drop this for now (use workarounds that are available), closing issue
Comment 6 Dmitry Belyavskiy 2022-07-01 08:01:57 UTC 
Dear Gaurav, JFYI - upstream is updated, so probably you now have everything for your purposes
Comment 7 gkamathe 2022-07-01 09:10:35 UTC 
Thanks Dmitry for working with upstream
Note You need to log in before you can comment on or make changes to this bug.